mumble-1.2.3-2.1.mga2 has been submitted to core/updates_testing for Mageia 2.

Assignee: bugsquad => qa-bugs

Thanks Manuel for highlighting that this was already reported in #5921

Colin, please see Bug 6511 first.  There is a security issue there.  Fedora also fixed several other bugs in their update.

CC: (none) => luigiwalser, qa-bugs
Assignee: qa-bugs => mageia

Updating the advisory and assigning back to QA.  See Comment 0 for more info.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Also, the version of mumble shipped with Mageia 2 does not properly
find and use the celt 0.7.1 library. This is the most common celt
version and is required for communication with the Windows and OSX
clients. This resulted in Mumble being able to connect fine, playback 
nd record audio, appear as if everything is working perfectly, but
then simply fail to play or send any audio.

The updated packages fix these issues.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-2.2.mga2
mumble-11x-1.2.3-2.2.mga2
mumble-protocol-kde4-1.2.3-2.2.mga2
mumble-plugins-1.2.3-2.2.mga2
mumble-server-1.2.3-2.2.mga2

from mumble-1.2.3-2.2.mga2.src.rpm

CC: qa-bugs => mageia
Assignee: mageia => qa-bugs

Rebuild for Mageia 2 pending qt4 in updates_testing being fixed.

See https://bugs.mageia.org/show_bug.cgi?id=6511#c11

It has been built now.  Colin, does anything need to be added to the advisory?

Packages built:
mumble-1.2.3-2.2.2.mga2
mumble-11x-1.2.3-2.2.2.mga2
mumble-protocol-kde4-1.2.3-2.2.2.mga2
mumble-plugins-1.2.3-2.2.2.mga2
mumble-server-1.2.3-2.2.2.mga2
mumble-server-web-1.2.3-2.2.2.mga2

from mumble-1.2.3-2.2.2.mga2.src.rpm

David, you can mention in the advisory that the missing -web package for mga2 has been restored (I'm not sure how well it works in practice but it's likely better than nothing!). In both mga1 and mga2 the ICE support has been re-enabled. I've not really any clue what this is but it was needed for the weblist.php file.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, the version of mumble shipped with Mageia 2 does not
properly find and use the celt 0.7.1 library. This is the most common
celt version and is required for communication with the Windows and OSX
clients. This resulted in Mumble being able to connect fine, playback 
and record audio, appear as if everything is working perfectly, but
then simply fail to play or send any audio.

The updated packages fix these issues.

Finally, the mumble-server-web package is being provided, as it was not
provided initially with Mageia 2, and ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-2.2.2.mga2
mumble-11x-1.2.3-2.2.2.mga2
mumble-protocol-kde4-1.2.3-2.2.2.mga2
mumble-plugins-1.2.3-2.2.2.mga2
mumble-server-1.2.3-2.2.2.mga2
mumble-server-web-1.2.3-2.2.2.mga2

from mumble-1.2.3-2.2.2.mga2.src.rpm

On Mageia 2 i586:

Once the two celt libraries libcelt0_2 and libcelt071_0 were installed, I installed all the mumble packages:
mumble
mumble-11x
mumble-protocol-kde4
mumble-plugins
mumble-server

I started Mumble from command line. I could check that 
lsof | grep ^mumble| grep celt
only yelds
/usr/lib/libcelt0.so.2.0.0

I could confirm the security issue:
ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite
- rw-r--r-- 1 malo malo 27648 Jul 26 17:07 .local/share/data/Mumble/Mumble/.mumble.sqlite

Once I installed the packages from testing,
ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite
- rw------- 1 malo malo 27648 Jul 26 17:17 .local/share/data/Mumble/Mumble/.mumble.sqlite
and the celt thing is fixed.

I don't know anything about mumble, but starting mumble and connecting to a server seems to work.
As for mumble-server-web, when I go to http://localhost/cgi-bin/mumble-server/weblist.cgi, I get an error about a murmur service not available.

So, except for the mumble-server-web thing, the update seems to fix the bugs. I'll wait for an answer about mumble-server-web.

CC: (none) => malo

Running murmur-user-wrapper once, then restarting the mumble-server-web allowed me to use mumble to connect to my own server, and see myself connected in the weblist page.

Testing completed on Mageia 2 i586.

Whiteboard: (none) => MGA2-32-OK

Testing x86_64

Before
------
# rpm -qa | grep lib64celt
lib64celt071_0-0.7.1-1.mga2
lib64celt051_0-0.5.1.3-2.mga2
lib64celt0_2-0.11.1-1.mga2

$ mumble

# lsof | grep ^mumble| grep celt
mumble    13517          claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13517 13533    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13517 13535    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13517 13542    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13517 13543    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0

$ ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw-r--r-- 1 claire claire 54272 Aug  1 12:23 .local/share/data/Mumble/Mumble/.mumble.sqlite

After
-----
$ ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw------- 1 claire claire 38912 Aug  1 12:26 .local/share/data/Mumble/Mumble/.mumble.sqlite

# lsof | grep ^mumble| grep celt
mumble    13925          claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13925          claire  mem       REG                8,1     75944     580659 /usr/lib64/libcelt071.so.0.0.0
mumble    13925 13927    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13925 13927    claire  mem       REG                8,1     75944     580659 /usr/lib64/libcelt071.so.0.0.0
mumble    13925 13928    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13925 13928    claire  mem       REG                8,1     75944     580659 /usr/lib64/libcelt071.so.0.0.0
mumble    13925 13930    claire  mem       REG                8,1     92336     675782 /usr/lib64/libcelt0.so.2.0.0
mumble    13925 13930    claire  mem       REG                8,1     75944     580659 /usr/lib64/libcelt071.so.0.0.0
etc.

Seems to be using mixed lib versions now. I'll test the server and try to connect to it in a moment.

Apache will not start with mumble-server-web installed. From /var/log/httpd/error.log..

[Wed Aug 01 12:48:53 2012] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Wed Aug 01 12:48:54 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Aug 01 12:48:54 2012] [notice] Digest: done
/usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice"
    #include <Ice/SliceChecksumDict.ice>
1 error in preprocessor.
PHP Fatal error:  Unable to start ice module in Unknown on line 0

It did install ice as a dependency..

# urpmi mumble-server-web
In order to satisfy the 'mail-server' dependency, one of the following packages is needed:
 1- postfix-2.8.8-1.mga2.x86_64: Postfix Mail Transport Agent (to install)
 2- sendmail-8.14.5-2.mga2.x86_64: A widely used Mail Transport Agent (MTA) (to install)
What is your choice? (1-2) 2
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  cyrus-sasl                     2.1.23       19.mga2       x86_64  
  ice                            3.3.1        5.mga2        x86_64  
  perl-CGI-Session               4.480.0      1.mga2        noarch  
  perl-HTML-Template             2.900.0      1.mga1        noarch  
  perl-Image-Magick              6.7.5.10     2.mga2        x86_64  
  perl-Net-DNS                   0.680.0      1.mga2        x86_64  
  php-ice                        3.3.1        5.mga2        x86_64  
  sendmail                       8.14.5       2.mga2        x86_64  
(medium "Core Updates Testing")
  mumble-server-web              1.2.3        2.2.2.mga2    x86_64  
14MB of additional disk space will be used.
3.2MB of packages will be retrieved.
Proceed with the installation of the 9 packages? (Y/n) y

Maybe some more information towards the end here..
http://sourceforge.net/tracker/index.php?func=detail&aid=3009456&group_id=147372&atid=768005

If I change the #include line in /usr/share/slice/Murmur.ice from 

#include <Ice/SliceChecksumDict.ice>

to

#include </usr/share/ice/slice/Ice/SliceChecksumDict.ice>

apache starts fine and I can access the url:
http://localhost/cgi-bin/mumble-server/weblist.cgi 

and see 

Server #1
total: 0

I can also add server localhost in mumble and connect to it.

Colin this seems a simple fix for mumble-server, could you have another look at it please?

Thanks!

Testes on x86_64, I confirm Claire's tests.

After:
-------
# rpm -qa | grep lib64celt
lib64celt071_0-0.7.1-1.mga2
lib64celt0_2-0.11.1-1.mga2
lib64celt051_0-0.5.1.3-2.mga2

# lsof | grep ^mumble| grep celt
mumble    10759          stefano  mem       REG                8,1     92336     411331 /usr/lib64/libcelt0.so.2.0.0
mumble    10759          stefano  mem       REG                8,1     75944     452206 /usr/lib64/libcelt071.so.0.0.0
mumble    10759 10763    stefano  mem       REG                8,1     92336     411331 /usr/lib64/libcelt0.so.2.0.0
mumble    10759 10763    stefano  mem       REG                8,1     75944     452206 /usr/lib64/libcelt071.so.0.0.0
mumble    10759 10764    stefano  mem       REG                8,1     92336    

Test connection to a server : Ok, It works.

# ll -a .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw------- 1 stefano stefano 27648 ago  3 12:10 .local/share/data/Mumble/Mumble/.mumble.sqlite

The web-server test going to page http://localhost/cgi-bin/mumble-server/weblist.cgi

Server #1
total: 0 

Webserver is going well without any workaround.

Bye
Stefano

CC: (none) => stblack
Whiteboard: has_procedure feedback MGA2-32-OK => has_procedure feedback MGA2-32-OK, MGA2-64-OK

(In reply to comment #17)
> Webserver is going well without any workaround.
> 
> Bye
> Stefano

That's strange. What is the output from :
rpm -qa | grep mumble
rpm -qa | grep "\bice\b"

Confirming what Clair found on Mageia 2 x86-64, 
From /var/log/httpd/error_log
[Mon Aug 13 20:51:35 2012] [notice] Digest: done
/usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice"
    #include <Ice/SliceChecksumDict.ice>
1 error in preprocessor.
PHP Fatal error:  Unable to start ice module in Unknown on line 0

CC: (none) => davidwhodgins

mumble-1.2.3-2.3.mga2 should fix the php-ice pb.

Please check if you get the following message in apache logs after installing murmur-server-web and restarting apache:

If so, then I'll have to add another patch.

Thanks Samuel.  Updating the advisory.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, the version of mumble shipped with Mageia 2 does not
properly find and use the celt 0.7.1 library. This is the most common
celt version and is required for communication with the Windows and OSX
clients. This resulted in Mumble being able to connect fine, playback 
and record audio, appear as if everything is working perfectly, but
then simply fail to play or send any audio.

The updated packages fix these issues.

Finally, the mumble-server-web package is being provided, as it was not
provided initially with Mageia 2, and ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-2.2.3.mga2
mumble-11x-1.2.3-2.2.3.mga2
mumble-protocol-kde4-1.2.3-2.2.3.mga2
mumble-plugins-1.2.3-2.2.3.mga2
mumble-server-1.2.3-2.2.3.mga2
mumble-server-web-1.2.3-2.2.3.mga2

from mumble-1.2.3-2.2.3.mga2.src.rpm

I've just started looking at how to test this one, now that httpd starts ok
with the update.

$ murmur-user-wrapper -i
Creating /home/dave/murmur/murmur.ini
Could not find template for murmur.ini in /usr/share/doc/mumble-server/examples.

I manualy copied /usr/share/doc/mumble-server/murmur.ini to ~/murmur, after
which murmur-user-wrapper starts the private server, and murmur-user-wrapper -k
stops it ok.

$ grep emailfrom /etc/mumble-server.ini
emailfrom =dave@x2v.hodgins.homeip.net

The postfix server is running, and I can send mail, but when I go to
http://localhost/cgi-bin/mumble-server/register.cgi
enter the same email address, and select register, a message pops up
at the top with "And how am I supposed to send email there?".

I've setup my own dns server ...
$ host x2v.hodgins.homeip.net
x2v.hodgins.homeip.net has address 192.168.10.106
$ host 192.168.10.106
106.10.168.192.in-addr.arpa domain name pointer x2v.hodgins.homeip.net.

In /var/log/mumble-server/mumble-server.log there is a message ...
Registration: No DNS records found: Source-based callback failed. Server not reachable.

# rpm -q -a|grep  celt
lib64celt0_2-0.11.1-1.mga2
libcelt0_2-0.11.1-1.mga2

Should it be installing the other celt libraries?

Suggestions?

I can't answer, I only tried to fix the Ice problem. 

I suppose the email issue is not a regression, if so I'd still validate, unless Colin sees what the problem is. 

About the celt libs I'll let Colin answer :)

It probably should install at least the 0.7.1 version of the celt libs as this is the most commonly used (see the initial advisory text in the initial comment), so IMO this should be made a require.

No idea about the mail/DNS stuff. My only guess would be something to do with chroots and not properly propagating /etc/resolv.conf changes, but it seems a bit unlikely for such a daemon to do that.

Ping colin. Did you add the require you mentioned colin?

If you are short of time at the moment we can create a new bug report for that and test and validate this security update. 

It has been in testing for a while now. Please let us know.

Thanks :)

Sorry Claire. Got a massive backlog. Going to try and clear some of it tonight :)

As for this issue, it seems there *is* are require already.

From the spec:

# (cg) The celt libraries are loaded dynamically but we need at least 0.7.1 to
# be compatible with the Windows and OSX clients
# The 0.11 version can work if the clients (and presumably the server) all
# support it.
# Using mklibname is not ideal but it's the easiest option for now
Requires:	%{mklibname celt 071 0}
Suggests:	%{mklibname celt 0 2}



And indeed testing it on  my mga2 machine:
[colin@marley ~]$ sudo urpmi --searchmedia CoreUpdatesTesting-64 mumble
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "CoreRelease-64")
  espeak                         1.46.02      1.mga2        x86_64  (suggested)
  g15daemon                      1.9.5.3      7.mga1        x86_64  
  lib64celt071_0                 0.7.1        1.mga2        x86_64  
  lib64dotconf0                  1.3          1.mga2        x86_64  (suggested)
  lib64espeak1                   1.46.02      1.mga2        x86_64  (suggested)
  lib64g15_1                     1.2.7        3.mga2        x86_64  
  lib64g15daemon_client1         1.9.5.3      7.mga1        x86_64  
  lib64g15render1                1.2          8.mga1        x86_64  
  lib64protobuf6                 2.4.1        1.mga2        x86_64  
  lib64speechd2                  0.7.1        3.mga2        x86_64  
  perl-Inline                    0.500.0      1.mga2        x86_64  
  speech-dispatcher              0.7.1        3.mga2        x86_64  (suggested)
(medium "CoreUpdates-64")
  qt4-database-plugin-sqlite     4.8.2        1.3.mga2      x86_64  
(medium "CoreUpdatesTesting-64")
  mumble                         1.2.3        2.3.mga2      x86_64  
  mumble-plugins                 1.2.3        2.3.mga2      x86_64  
10MB of additional disk space will be used.
4.1MB of packages will be retrieved.
Proceed with the installation of the 15 packages? (Y/n) 


So indeed lib64celt071_0 is pulled in.


So I'm not quite sure how Dave got the results he did in comment 22 :s

I'd be tempted to just push this one as is. At least it gets it out there and if there are more problems we can sort them later.

Testing complete Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
mumble-1.2.3-2.2.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and
link the following packages from Core Release to Core Updates
lib64celt071_0-0.7.1-1.mga2 (Core Release)
lib64dbcxx4.8-4.8.30-8.mga2 (Core Release)
lib64ice33-3.3.1-5.mga2 (Core Release)
lib64mcpp0-2.7.2-2.mga1 (Core Release)

Advisory: Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, the version of mumble shipped with Mageia 2 does not
properly find and use the celt 0.7.1 library. This is the most common
celt version and is required for communication with the Windows and OSX
clients. This resulted in Mumble being able to connect fine, playback 
and record audio, appear as if everything is working perfectly, but
then simply fail to play or send any audio.

The updated packages fix these issues.

Finally, the mumble-server-web package is being provided, as it was not
provided initially with Mageia 2, and ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

https://bugs.mageia.org/show_bug.cgi?id=6581

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure => has_procedure MGA2-32-OK MGA2-64-OK

Packages linked and Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0248

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED